Critical Vulnerability discovered in libssh (CVE-2018-10933)

libssh, a tiny C SSH library, contains an authentication bypass vulnerability in libssh’s server-side code.

An attacker can take advantage of this flaw to successfully authenticate without any credentials by presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication.

Red Hat

This vulnerability affects libssh shipped in Red Hat Enterprise Linux 7 Extras. No libssh packages are included in Red Hat Enterprise Linux 6 and earlier. This issue does not affect libssh2 or openssh.



the following releases of Ubuntu and its derivatives are affected:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

  • libssh-4 – 0.8.1-1ubuntu0.1

Ubuntu 18.04 LTS

  • libssh-4 – 0.8.0~20170825.94fa1e38-1ubuntu0.1

Ubuntu 16.04 LTS

  • libssh-4 – 0.6.3-4.3ubuntu0.1

Ubuntu 14.04 LTS

  • libssh-4 – 0.6.1-0ubuntu3.4



For the stable distribution (stretch), this problem has been fixed in version 0.7.3-2+deb9u1.


Oracle MySQL

This vulnerability was patched with Oracle’s Critical Patch Update for january:

More information can be found on this page


Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.